the_title();

FTP Security on VPS and Reseller Accounts

We are aware that a number of reseller hosting and VPS hosting accounts are also being affected by unauthorised FTP uploads. On our shared hosting accounts where we know what domains have been created and can alter these directly from our systems, with the reseller and vps accounts we cannot do this directly.

We can however offer you a method to restrict FTP access to a certain IP address or a subset of IP addresses.

The first thing to do is to determine your own IP address – one of the easiest ways of doing this is to visit http://www.whatismyip.com/. At the top of the page it will say ‘Your IP Address Is: 1.2.3.4’

If you are on a static IP then this is all that you need to do, if however you are on a dynamically assigned IP address, your IP will change on a regular basis and therefore you will need to know the IPs that you could possibly be assigned. While you are still on the http://www.whatismyip.com/ site if you look at the left you will see a link marked ‘IP WHOIS Lookup’ click this followed by the button ‘Whois Lookup’. The screen will now show a lot more information regarding your IP address.

In the output on this screen you should see something like this:

inetnum : 1.2.3.0 – 1.2.7.255

This is the range of IPs that you could be assigned.

Now that we have the possible range of IPs this is how to proceed.

In a text editor on your computer create a file named ‘.ftpaccess’ (note the . ‘dot’ at the beginning of this)

The contents of this file will be as follows if you have a static IP address:

<Limit ALL>
DenyALL
Allow 127.0.0.1
Allow 1.2.3.4
</Limit>

The Allow 127.0.0.1 is left there as a backup to enable you to access this via filemanger in siteadmin should you need to.

If you are on a dynamically assigned IP then you will need to allow some ranges. Based on our example inetnum output above our file would look like this:

<Limit ALL>
DenyALL
Allow 127.0.0.1
Allow 1.2.3.
Allow 1.2.4.
Allow 1.2.5.
Allow 1.2.6.
Allow 1.2.7.
</Limit>

Now simply upload this file to the httpdocs, httpsdocs and cgi-bin folders. This will stop anyone bar the named IP ranges from being able to access these key folders. You can also do the same with webusers and subdomains if you use these.

This change will not stop blocks on SFTP or SCP so if you only use these protocols you could use a file with the following:

<Limit ALL>
DenyALL
</Limit>

This would then stop any FTP access from being allowed to your site. Please do contact our client Service and Support Department with any questions or comments on this important security measure.

6 Comments

  1. Can you also use CIDR notation? e.g.

    Allow 1.2.3.4/28

  2. It should be noted that you CAN NOT access subdomains using SFTP so DO NOT apply a .ftpaccess with the following content to subdomains

    DenyALL

    else you will no longer have any form of ftp access to them.

  3. if you have a huge IP range such as
    1.104.0.0 to 1.111.255.255
    then simply use the first two numbers in your allow statement so for the above you would have 8 allows
    Allow 1.104.
    Allow 1.105.
    Allow 1.106.
    Allow 1.107.
    Allow 1.108.
    Allow 1.109.
    Allow 1.110.
    Allow 1.111.

  4. Great tip, thanks.
    I take it that Philip’s advice applies to ANY long range of IPs, i.e. as provided by ISPs like BT? Just use the first two numbers followed by a final full stop?

  5. on VPS accounts (can’t say for the resellers) you’ll also need to make sure that the .ftpaccess file is not readable through webclients (ie browsing to http://www.yourdomain.com/.ftpaccess should not display the file).

    To do this, you’ll need to edit the /etc/httpd/conf/httpd.conf file though vi or some other unix editor. You’ll see a section preventing .htaccess and .htpasswd files from being displayed. The simplest thing is to copy it and change the filename:

    Order allow,deny
    Deny from all

    Alterntively, this could go in the .htaccess file at the top level. Better in the overall config, I suggest, affecting all sites.

    Once edited, you’ll no doubt have to restart the service:
    service httpd restart

  6. Despite having an .ftpaccess file in place, a charity site I run has again found itself with lots of dodgy hidden links in its pages. I suspect the problem may be because I created the .ftpaccess file using Dreamweaver 4 with the wrong Line Feed characters – these files apparently MUST have a Unix line feed or they will not work.

    I have another problem though. With these .ftpaccess files we are advised to use the enum range if we are not on a static IP address. This seemed reasonable but my ISP’s enum ranges seem to change with great frequency so this whole approach is not going to be very reliable for me.

    So, I’ve been wishing I could just turn OFF ftp access until I need it. And that is what I have decided to do, like this.

    1. Create an .ftpaccess file as above but leaving only ‘Deny all’ in the file, no other valid IP addresses and put it in the appropriate directories (httpdocs, httpsdocs and cgi-bin)

    2. Using Plesk file manager, change the permissions on the .ftpaccess file to what I think is called 644 or rw- r– r– (which seems to be generally recommended for .htaccess files as a secure permission setting)

    3. If I want to FTP to the site I first go in to Plesk file manager and move the .ftpaccess file to a special purpose built directory called ftp-off

    4. Do whatever FTPing I need to do

    5. Go back into Plesk and move the .ftpaccess file into httpdocs (I move the file rather than rename it to retain the permissions settings)

    This is a rather belt and braces approach but as far as I can tell it locks off FTP so that only the person with Plesk access can use it.

    Now, none of my customers do any FTPing for themselves. But, if they did perhaps the solution would be to allow 127.0.0.1 to allow them access through siteadmin.